Generation, Distribution, and Storage of Digital Certificates First, let's review the brief process of digital certificate generation and distribution. How can an online user get a digital certificate? 1 He must first apply to the RA for registration. After the user's application is approved by the RA, the RA submits a registration establishment request to the CA. The 3CA establishes a registration for the user and returns the registration establishment result to the RA. The 4RA notifies the user of the registration result. The registration result contains two sets of numbers, called "reference number" and "authorization code". 5 The user's software generates a pair of public and private keys. 6 The user makes a certificate request to the CA. The request information also includes information such as the user's public key and the user's alias, which is used when the CA creates the certificate. 7CA creates a digital certificate for this user. 8 Distribute the certificate to the user in an appropriate manner.
There are several ways for a CA to distribute certificates to users. The first way is out-of-band distribution, which is offline. For example, in the national tax certificate project of Beijing, the key pair is generated by the software operator instead of the customer. The certificate is also downloaded by the operator instead of the customer from the CA, and then the private key and the downloaded certificate are stored together on the floppy disk, and then handed over to the floppy disk. users. The advantage of this is that it eliminates the hassle of users downloading certificates online. The second way is in-band distribution, where users download digital certificates from the Internet to their computers. When downloading, the user must present the "reference number" and "authorization code" to the CA to prove his identity to the CA. This is less expensive, but for users who are less familiar with computers, there may be some trouble with downloading. In addition to the above two methods, CA also puts the certificate in a public database and publishes it in the public database.
Digital certificates and private keys store a variety of media that can be stored on your computer's hard drive, floppy disk, smart card, or USB key.
Concepts that need clarification 1. Uniqueness of the private key
Strictly speaking, since the private key is unique in the world and is only held by the subject itself, it must be generated by the subject's computer program. Because if you build elsewhere you will have the opportunity to be copied. However, this is not the case in practical applications. For some special needs (for example, if there is only one private key, the unit's encrypted file will not be decrypted because the departing employee took the private key.) Public/private key pair for encryption It will require a backup to be stored by a trusted third party. Thus, the private key used for encryption may not be unique. However, the private key used for signature must remain unique, otherwise the non-repudiation of the signed information cannot be guaranteed.
When generating a user's key pair, the public/private key pair for encryption may be generated by the CA, RA, or may be generated by a dedicated program (such as a browser program or authentication software) on the user terminal's machine. In principle, the key pair used for digital signature can only be generated by the program of the user terminal, so as to ensure the privacy of the private key information and the non-repudiation of the communication information.
Some people may have questions: In the Beijing National Tax certificate project, the encrypted and signed key pairs are generated by the software operator instead of the customer. Does this undermine the above-mentioned private key uniqueness principle? the answer is negative. At this time, the uniqueness of the private key depends on the guarantee of the legal contract and the constraints of the corresponding system in the operation process, so that the non-repudiation is supported. Because of this mechanism, we can still think that the user's signature private key is unique.
Second, the certificate, private key, which one to protect?
We often hear people say: "Keep your floppy disk, keep your KEY, don't let others steal your certificate." Some textbooks also say this. It should be said that this sentence is faulty. Digital certificates can be published online and are not afraid of misappropriation and tampering. Because the pirate of the certificate does not have the corresponding private key, stealing someone else's certificate can neither complete the encrypted communication nor realize the digital signature, and has no practical use. Moreover, since the CA has digitally signed the contents of the certificate, the certificate published on the Internet is not afraid of hacking. We say that what should be protected is the private key stored in the medium. If the hacker steals the certificate and private key at the same time, the danger will come.
Why is the USB key safe?
Different storage media have different security. If the certificate and private key are stored on the computer's hard drive, the computer and the private key may be stolen if it is hacked (for example, a Trojan horse is embedded).
Using a floppy disk or a storage-type IC card to store certificates and private keys is safer than a hard disk because the two media are only connected to the computer when they are used. They are unplugged when they are used, and the certificate and private key are stolen. The possibility is reduced. However, hackers still have the opportunity. Since the floppy disk and the storage type IC card do not have the computing power, when the encryption operation is performed, the user's private key must be transferred out of the floppy disk or the IC card into the external computer, which will cause certain problems in the process. Security risks.
It is safer to store digital certificates and private keys using smart cards (CPU cards with CPU). why would you said this? The original smart card has a certain computer function, and the CPU in the chip is a small computer.
The program (instruction set) that generates the public-private key pair is fired by the smart card producer in the ROM in the chip, and the cryptographic algorithm program is also fired in the ROM. After the public-private key pair is generated in the smart card, the public key can be exported to the card, and the private key is stored in the key area of ​​the chip, and external access is not allowed.
The key file in the smart card is stored in the E2PROM. The reading and writing of the key file must be called by the program inside the card. From the outside of the card interface, there is no command to read, modify, update, and delete the contents of the key area. Unless the person who designs and writes the card operating system (COS) leaves the back door on the COS himself, only he knows how to recall the contents of the key area from the outside. But we can rule out the possibility of hackers colluding with COS designers.
In the process of encryption and signature, the application software in the external computer uses the smart card API to call, input parameters, data and commands, start the digital signature operation, password operation, etc. inside the smart card, and obtain the return result. Since the CPU inside the smart card can perform these operations, the private key can not be out of the smart card medium in the whole process, and the hacker's attack program has no chance to intercept the private key, so it is much safer than placing the certificate and private key on the floppy disk or the hard disk. .
Physically, it is almost impossible to make an overall copy of the content in the smart card chip. Although I heard that someone can analyze the code in the chip from the weak electromagnetic field changes that occur during the operation of the smart card chip, or the weak level changes reflected on the I/O port. However, the technical requirements for smart card manufacturers are very high internationally, and the above indicators are required to be low enough to be detected. There are only a handful of companies that can produce smart cards internationally, and they have adopted various security measures to ensure that data inside the smart card cannot be physically copied from the outside.
The USB Key and the smart card are identical in structure and technology except for the I/O physical interface. The security is the same. Only the smart card needs to be connected to the serial interface of the computer through the card reader, and the USB Key is directly connected to the computer through the universal serial bus (USB) interface of the computer. In addition, the communication speed of the USB interface is much higher than the communication speed of the serial interface. The computer that is currently produced has the USB interface as a standard configuration, and the use of a smart card requires a card reader. For the above reasons, each CA promotes the USB Key as the preferred certificate and private key storage medium. The fly in the ointment is that the cost of USB Key is still slightly more expensive. Banks are required to pay a fee of 50 to 80 yuan when they implement the USB Key media certificate.
Still need to pay attention to the problem
It should be pointed out here that some products that are called smart cards are actually storage-type IC cards without CPU, and it only has storage functions. As described above, the security of the storage type IC card is similar to that of the floppy disk. For these two different types of IC cards, the user needs to be clearly identified.
The second problem is that although the smart card is fully considered and guaranteed in the design and production process, it may also pose a safety hazard due to human factors. For example, a flash memory random storage area is provided on the smart card, which is used for programs that write general user data or add card functions. Sensitive data and programs are not allowed to be written in the flash area and must be written in a secure memory area. When making a smart card, the security zone should be masked by hardware. The mask processing of hardware takes a lot of time and cost, and generally takes 3 months. In order to reduce the cost and shorten the construction period to meet customer requirements, some card vendors put sensitive data and programs that should be placed in the security zone in the flash memory area. The contents of the flash memory area can be read and written from outside the card, which makes it possible. A security risk that has been hacked. This requires us to carefully review the process of the cooperative IC card manufacturers.
In addition, in order to prevent the USB key from being accidentally lost, it may be stolen by others. Many certificate application systems also set a password authentication mechanism during use. If the password is entered incorrectly, even if you master the USB key, you cannot log in to the application system. This two-factor authentication mechanism makes the USB key more secure and reliable, and it is worth promoting.
Hotel disposable razor .Disposable razor twin blade stainless steel for hotel using. higher quality blade frome sweden
we have the razor with a three-story stainless steel blade,for high-end star hotels
We also have carbon steel, cheap razors,
It's for cheap baths and hotel
Hotel Razor,Hotel Shaver,Electric Razor,Electric Shaver
Yangzhou Ruizhixing Daily Chemical Products Co., Ltd , https://www.rzxtoothbrush.com